﻿\chapter{Related Work}

The idea of this project was inspired by the many others who have researched and implemented secure systems using virtualization.

The initial idea for introspection based security systems using virtualization technology was published by Garfinkel \cite{garfinkel:vmi}. This paper initiated a new field of research that could bring more secure systems implementations. The system was implemented on a modified VM ware workstation and had the ability to intercept the VMs system call requests. They achieved many detection methods for successful detection where some of the detection approaches are enabled by the modifications to VMM and guest host.  
Changing any code for the purpose of the detection system is something that is tried to be avoided in this implementation. Only the existing support of XenControl library is used and the rest of the detector resides on a user level application.


Antfarm \cite{antfarm} is a process tracking system on virtualized Hosts. They say that the process, can be accurately and efficiently inferred inside a VMM by observing the interaction of a guest OS
with its virtual hardware. This method is a useful alternative to explicitly exporting the required information to the VMM directly. By enabling a VMM to independently infer the information it needs, the VMM is decoupled from the specific vendor, version, and even correctness of the guests it supports.
The implementation of a advanced detection system will require the capability to detect events happening inside the Virtual Machines. Techniques used by AntFarm can be further improved to create a detection system or honeypot system that can more closely monitor the activities of the virtualized hosts.



XenFit \cite{XenFIT} is a file-system integrity monitor running on Xen. XenFIT can monitor and fires alarms on intrusion in real-time manner, and the approach does not require to create and update the database like in the legacy methods. XenFIT works by dynamically patching memory of the protected machine, so it is not necessary to install any kernel code or user-space application into the protected machines. XenFit checks for file system security breaches by detecting integrity violations from a clean VM. 



The paper \cite{re-establishTrust} introduce the notion of re-establishing trust in compromised systems, specifically looking at recovering from kernel-level rootkits. They handle the problem of trusted system calls been replaced with trojaned system calls. Their approach to recover from these type of rootkits is to extract the system call table from a known-good kernel image and reinstall the system call table into the running kernel. They discuss future generation rootkits and address how to recover from them.
In our project implementation the original kernel table is maintained allowing the ability to replace the system call entry to the original value in case of a change.


Copilot is a kernel integrity monitor that is run on a PCI add-in card \cite{copilot}. The copilot detector does not run on the infected kernel, making reliable detection possible. Copilot monitor can be expected to correctly detect malicious kernel modifications even on hosts with kernels too thoroughly compromised to allow the correct execution of traditional integrity monitoring software. The Copilot monitor does not require any modifications to the host’s software and can therefore be easily applied to commodity systems. The Copilot monitor prototype has proven to be an effective kernel integrity monitor in tests against 12 common kernel-modifying rootkits. 


VMwatcher \cite{vmIntroSemantics} is a system where existing anti malware systems are made to scan the monitored host from ``out of the box". Their main issue address is the bridging of the semantic gap that exists between two virtual machines. They have run several existing antivirus software and successfully scanned for vulnerabilities on a few virtualization technologies. The existing anti virus scanning is done using file system semantic regeneration which is considered to be easier than memory semantic regeneration. The memory semantic regeneration they have used is similar to the approach we have made in this project. The exact method in which they obtain the differing kernel objects or data types has not been clearly mentioned. The source code of their implementation is also not available therefore using their approaches or studying how they have implemented is not possible.


XenKimono \cite{rootkit} is a implementation of a tamper resistant rootkit detector using Xen. The rootkit detector runs on a different VM than the VM being monitored. XenKimono is a extensive rootkit detector that scans many different areas of the kernel at runtime. It detects for changes to static kernel objects. Uses cross view detection methods to find differences between user level view and kernel level view of kernel modules, user processes and network sockets. Watch for user privilege changes and looks at the network interface. It has successfully detected few rootkits and can detect unknown rootkits if the new rootkit employs at least one of the detection methods used.
XenKimono has not described how it does the address translations needed before the mapping of memory. The way in which they have obtained the semantics seems to be a good way, but its implementation or logic is not described. The DomU kernel they use have to be compiled with kernel debugging information which means that XenKimono will not work for any compilation configuration. XenKimono has still not been published using GNU license as a open source project so there is no way to learn from their implementation.


XenAccess open source library \cite{bryanSecureVM} was the main base used in this project to facilitate introspection. XenAccess library focuses of using the features in Xen to facilitate introspection without modifying the Xen hypervisor. This library allows the privileged domain to access another domain's memory addresses directly. Even though the library can be used straight forward to get memory mapped there is a lot of functionality with respect to Xen virtualized memory management being done internally. A small portion of kernel memory can be mapped linearly. Yet translation of a very large portion of memory space should be done through the use of page tables. This complexity has been handled by the library to provide introspection based integrity detectors look into other complexities.
XenAccess has a few limitations where only a few Xen versions are supported as it is still in its development.
The internals of how address translations happen is a main function that has to be learned when doing memory introspection. Therefore XenAccess source code was read to get a understanding about address translation internals.


All of the above mentioned projects as well as few more related projects helped in the completion of this project. Most of the projects were used to get the higher level ideas whereas XenAccess provided the implementation level understanding of how introspection happens. 


